[UNIX] QNX Neutrino RTOS su and passwd Command Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



QNX Neutrino RTOS su and passwd Command Buffer Overflow
------------------------------------------------------------------------


SUMMARY

<http://www.qnx.com/products/rtos/> NX Software Systems Ltd.'s Neutrino
RTOS (QNX) is a real-time operating system designed for use in embedded
systems.

Any authenticated local attacker can exploit this vulnerability to gain
super-user (root) privileges on the affected system.

DETAILS

Vulnerable Systems:
* QNX Neutrino RTOS version 6.2.0
* All versions are suspected vulnerable.

Local exploitation of a buffer overflow in QNX Neutrino RTOS's (QNX) 'su'
/ 'passwd' command allows attackers to gain root privileges. The problem
specifically exists in the parsing of a long string passed as the first
argument to the set user id (setuid) binary 'su' / 'passwd'. A string
larger then approximately 4000 bytes causes a stack overflow directly
overwriting the stored return address and allowing an attacker to seize
CPU control and eventually execute arbitrary code under root privileges.

Workaround:
Clear the set user id or execute bits from the affected binary or remove
it entirely.

Disclosure Timeline:
06/04/2004 - Initial vendor notification
02/07/2006 - Public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:
<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=385>
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=385



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages